Posture is a service in Cisco Identity Services Engine (Cisco ISE) that allows you to check the state, also known as posture, of all the endpoints that are connecting to a network for compliance with corporate security policies. This allows you to control clients to access protected areas of a network.
Clients interact with the posture service through the AnyConnect ISE Posture Agent or Network Admission Control (NAC) Agent on the endpoint to enforce security policies, meet compliance, and allow the endpoint to gain access to your protected network. Client Provisioning ensures the endpoints receive the appropriate Posture Agent.
The ISE Posture Agent for Cisco ISE does not support Windows Fast User Switching when using the native supplicant. This is because there is no clear disconnect of the older user. When a new user is sent, the Agent is hung on the old user process and session ID, and hence a new posture session cannot take place. As per the Microsoft Security policies, it is recommended to disable Fast User Switching.
Components of Posture Services
Cisco ISE posture service primarily includes the posture administration services and the posture run-time services.
Posture Administration Services
If you have not installed the Apex license in Cisco ISE, then the posture administration services option is not available from the Admin portal.
Administration services provide the back-end support for posture-specific custom conditions and remediation actions that are associated with the requirements and authorization policies that are configured for posture service.
Posture Run-Time Services
The posture run-time services encapsulate all the interactions that happen between the client agent and the Cisco ISE server for posture assessment and remediation of clients.
Posture run-time services begin with the Discovery Phase. An endpoint session is created after the endpoint passes 802.1x authentication. The client agent then attempts to connect to a Cisco ISE node by sending discovery packets through different methods in the following order:
- via HTTP to Port 80 on a Cisco ISE server (if configured)
- via HTTPS to Port 8905 on a Cisco ISE server (if configured)
- via HTTP to Port 80 on the default gateway
- via HTTPS to Port 8905 to each previously contact server
- via HTTP to Port 80 on enroll.cisco.com
The Posture Phase begins when the Acceptable User Policy (if any) is accepted. The Cisco ISE node issues a posture token for the Posture Domain to the client agent. The posture token allows the endpoint to reconnect to the network without going through the posture process again. It contains information such as the Agent GUID, the Acceptable User Policy status, and endpoint operating system information.
The messages used in the Posture Phase are in the NEA PB/PA format (RFC5792).
Posture and Client-Provisioning Policies Workflow
Posture Service Licenses
Cisco ISE provides you with three types of licenses, the Base license, the Plus license, and the Apex license. If you have not installed the Apex license on the Primary PAN, then the posture requests will not be served in Cisco ISE. The posture service of Cisco ISE can run on a single node or on multiple nodes.
Posture Service Deployment
You can deploy Cisco ISE in a standalone environment (on a single node) or in a distributed environment (on multiple nodes).
In a standalone Cisco ISE deployment, you can configure a single node for all the administration services, the monitoring and troubleshooting services, and the policy run-time services.
In a distributed Cisco ISE deployment, you can configure each node as a Cisco ISE node for administration services, monitoring and troubleshooting services, and policy run-time services, or as an inline posture node as needed. A node that runs the administration services is the primary node in that Cisco ISE deployment. The other nodes that run other services are the secondary nodes which can be configured for backup services for one another.
Enable Posture Session Service in Cisco ISE
Before you begin
- You must enable session services in Cisco ISE and install the advanced license package to serve all the posture requests received from the clients.
If you have more than one node that is registered in a distributed deployment, all the nodes that you have registered appear in the Deployment Nodes page, apart from the primary node. You can configure each node as a Cisco ISE node (Administration, Policy Service, and Monitoring personas) or an Inline Posture node.
The posture service only runs on Cisco ISE nodes that assume the Policy Service persona and does not run on Cisco ISE nodes that assume the administration and monitoring personas in a distributed deployment.
Choose a Cisco ISE node from the Deployment Nodes window.
Under the General Settings tab, check the Policy Service check box,
If the Policy Service check box is unchecked, both the session services and the profiling service check boxes are disabled.
Check the Enable Session Services check box, for the Policy Service persona to run the Network Access, Posture, Guest, and Client Provisioning session services. To stop the session services, uncheck the check box.
Run the Posture Assessment Report
You can run the Posture Detail Assessment report to generate a detailed status of compliance of the clients against the posture policies that are used during posture assessment.
From the Time Range drop-down list, choose the specific time period.
Click Run to view the summary of all the end points that were active during the selected time period.